DOS Profil Questions
I want to protect the company transactional website from L7 DoS/DDoS attacks using the DOS profile.
Users access to the website via web browsers and mobile applications.
In order to avoid false positives and unwanted service cut, I have gone through the official documentation, I will use the automatic Thresholds mode and I will run the profile on the transparent mode for 7 days, but I still have some technical questions :
- In case of Thresholds Mode set to automatic, how does rate limit work? is there a difference between the rate limit mechanism used for transaction-based and stress-based DoS protection? it Will not impact the mobile application users experience?
- knowing that the same VS is used for both user access types (browsers and mobile application), which scenario do you recommend:
- S1: Use only the rate limit as mitigation method.
- S2: configure a Irule to disable DOS profile for mobile application (using User agent string matching), and apply the 3 mitigation methods available for the browsers access.
- Suppose the CAPTCHA is configured as a mitigation method, when a DoS/DDoS attack is detected and the mitigation is launched, is the WAF going to present the CAPTCH for all users or only for those who are suspicious? in this case is there difference between transaction-based and stress-based?
The WAF is based on the access history to identify the number of TPS expected at a given moment
- what is the % thresholds from which the WAF considers a traffic as a DDoS attack, for example if the expected TPS is 100, what should be the reel received TPS to consider it as a attach (120 TPS, 140 TPS, …) ?